Phone numbers are some of the most commonly used passwords for WEP/WPA encrypted wireless networks. Several ISP’s use them as default passwords for their routers for easy to remember access. By creating a list of every possible phone number combination with a specific area code, generally your own area code, it will give you quick access to most wireless networks using a dictionary attack. Using crunch built into Backtrack 5R2, you can quickly generate every possible number combination beginning with a specified area code.
Applications > BackTrack > Privilege Escalation > Password Attacks > Offline Attacks > crunch
Use the following command
./crunch 10 10 -t 123%%%%%%% -o /root/123.txt
Explanation of command. 10 refers to the number of characters. The -t command allows you to specify a pattern where only the @’%^ characters will change, in this case the %. The 123 is where the area code will go followed by 7 % characters. The -o is for output and can be saved anywhere. Make sure to save it as a .txt file. This will only take a few seconds and will say 100% when finished. Now you can load these in Gerix and bruteforce WPA.
Note: Most cities have multiple area codes. To combine multiple files into one just do a ‘cat 123.txt 456.txt 789.txt >> all.txt’